EXPLORE DETECTIONS

Lateral Movement Detection

This query identifies potential lateral movement activities by detecting remote connections and credential usage patterns across multiple hosts. This query uses CrowdStrike Query Language (CQL) to detect lateral movement activities: 1. **Network Connections**: `#event_simpleName=NetworkConnect` - Monitors outbound network connections from endpoints 2. **Target Ports**: `(RemotePort=445 OR RemotePort=3389 OR RemotePort=5985)` - Focuses on SMB (445), RDP (3389), and WinRM (5985) connections 3. **External Targets**: `!cidr(RemoteAddressIP4, subnet=["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"])` - Excludes internal network ranges to focus on external connections 4. **Process Context**: `join({#event_simpleName=ProcessRollup2}, field=[aid, RawProcessId], include=[ImageFileName, CommandLine])` - Adds process information for the connecting application 5. **User Context**: `join({#event_simpleName=UserIdentity}, field=AuthenticationID, include=[UserName])` - Enriches with user account information 6. **Output**: `table([aid, UserName, ImageFileName, RemoteAddressIP4, RemotePort, CommandLine])` - Shows user, process, target IP, and connection details

LeakNet Campaign: Deno Runtime & Klist Suspicious Execution Detection

Detects indicators of the LeakNet campaign (analyzed by ReliaQuest, March 2026), which uses ClickFix a social engineering tactic where compromised websites display fake error dialogs that coerce users into manually pasting and executing a malicious PowerShell/CMD command. This delivers a portable Deno (JavaScript runtime) binary to user-writable directories that runs malicious payloads entirely in memory, avoiding disk-based detection. The query targets the post-delivery kill chain: Deno execution from AppData/Temp/ProgramData paths, klist.exe usage from interactive shells indicating Kerberos ticket harvesting, Deno spawning reconnaissance and living-off-the-land binaries, and dangerous Deno runtime flags or remote code fetch patterns. A noise reduction filter excludes Deno running from standard developer or Program Files paths. This query detects post-exploitation activity associated with the LeakNet campaign, which was publicly analyzed by ReliaQuest in March 2026. LeakNet uses ClickFix — a social engineering technique where compromised websites present fake browser or application error dialogs that instruct users to copy a malicious command and paste it into a Run dialog or terminal. The pasted command downloads and executes a portable Deno binary, which then runs JavaScript payloads entirely in memory to evade traditional file-based detection. The query monitors CrowdStrike Falcon EDR `ProcessRollup2` telemetry and applies four detection clauses covering distinct stages of the LeakNet kill chain, followed by a noise reduction filter. CAMPAIGN DETAILS: Campaign: LeakNet Reference: ReliaQuest Threat Research, March 2026 Delivery: ClickFix social engineering → user-pasted PowerShell/CMD command Payload: Portable Deno binary dropped to AppData/Temp Execution: In-memory JavaScript payloads via Deno runtime Post-Exploitation: Credential enumeration (klist), host discovery, C2 callbacks VULNERABILITY DETAILS: CVE: N/A (Campaign-Specific TTPs / Living off the Land) Type: Initial Access, Execution, Credential Access, Discovery, Lateral Movement Status: ACTIVE CAMPAIGN — MONITORING FOR ANOMALOUS USAGE MITRE ATT&CK MAPPING: T1204.001 - User Execution: Malicious Link (ClickFix) T1059.007 - Command and Scripting Interpreter: JavaScript/TypeScript T1059.001 - Command and Scripting Interpreter: PowerShell T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting T1082 - System Information Discovery T1033 - System Owner/User Discovery T1016 - System Network Configuration Discovery T1087 - Account Discovery Tactics: Initial Access, Execution, Credential Access, Discovery, Lateral Movement EXPLOITATION REQUIREMENTS: - User interaction required (ClickFix paste-and-execute social engineering) - Deno binary present on disk (often portable/non-installed) - Execution within user-writable context (AppData/Temp) - Network access for remote script fetching (--allow-net) USE CASES: - Detect Deno-based malware or C2 stagers - Identify Kerberos ticket enumeration via klist.exe - Track post-exploitation discovery commands spawned by script runtimes - Flag dangerous Deno permission flags and remote code execution patterns DATA SOURCE: Event Type: ProcessRollup2 Required Fields: ImageFileName, CommandLine, ComputerName, UserName, ParentBaseFileName Sensor: CrowdStrike Falcon EDR AFFECTED SYSTEMS: - Windows 10/11 - Windows Server 2016/2019/2022 FALSE POSITIVES: - Legitimate developer activity (Deno used in IDE/Repos) - Automated IT scripts using klist for troubleshooting - Deno-based internal tools running from standard Program Files paths - DevOps pipelines that invoke Deno with --allow-net against internal registries INVESTIGATION NOTES: 1. Check if the Deno binary is signed and from a known developer location. 2. Review the CommandLine for --allow-all or remote URLs (http/https). 3. Correlate klist usage with recent logins or network connections to Domain Controllers. 4. Inspect the parent process of klist.exe; interactive shells are higher risk. 5. Verify if the user is a known developer or DevOps engineer. 6. Cross-reference SHA256HashData against known-good Deno release hashes. TUNING RECOMMENDATIONS: - Add specific exclusion for local 'dev' or 'git' directories. - Filter out known-good service accounts that use klist for health checks. - Baseline Deno usage by SHA256 if a standard version is deployed. - Add UserName exclusions for known developer accounts if discovery clause is noisy. REMEDIATION: Priority: MEDIUM (Context Dependent) Action: Quarantine suspicious Deno binaries found in AppData/Temp. Patches: Ensure Deno is updated to the latest version to prevent engine exploits. QUERY LOGIC: 1. Filters for ProcessRollup2 events. 2. Checks for Deno in writable paths (Local/Roaming/Temp/ProgramData). 3. Flags klist.exe when spawned by common shells or script hosts. 4. Monitors Deno spawning living-off-the-land and discovery binaries. 5. Identifies dangerous Deno flags or remote fetch commands in the command line. 6. Applies a global noise reduction for standard Program Files or developer paths.

List all Identity Protection Detections

List of all IDP detections.

List of attachments sent from Outlook

LOLBin Certutil

This query detects the use of certutil.exe. Certutil.exe – A Windows certificate-management tool that attackers often misuse to download executables or script files (even into alternate data streams), as well as encode or decode payloads, aiding stealthy file delivery and evasion techniques. [LOLBAS - Certutil.exe](https://lolbas-project.github.io/lolbas/Binaries/Certutil/)

LOLBin Mshta

This query detects the use of mshta.exe. Mshta.exe – A Windows utility for executing HTML Applications (`.hta`) — often abused to run embedded or remote VBScript, JScript, or download-and-execute payloads via alternate data streams or web URLs. [LOLBAS - Mshta.exe](https://lolbas-project.github.io/lolbas/Binaries/Mshta/)

LOLBin Msiexec

This query detects the use of Msiexec.exe. Msiexec.exe – A Windows Installer utility that executes MSI packages or DLLs (including remote or transformed payloads), frequently misused by attackers for stealthy code execution and application control bypass. [LOLBAS - Msiexec.exe](https://lolbas-project.github.io/lolbas/Binaries/Msiexec/)

LOLBin Regsvr32

This query detects the use of Regsvr32 when it has loaded scrobj.dll. Regsvr32.exe – A native Windows tool designed to register DLLs, but frequently misused by attackers to execute remote or local scriptlets (SCT files)—often enabling Application Whitelisting bypass and stealthy code execution. [LOLBAS - Regsvr32.exe](https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/)

LOLBin Rundll32

This query detects the use of Rundll32 from parents that are known for misuse. Rundll32.exe – A native Windows binary that can be abused to execute DLLs, scripts, and other payloads, making it a common technique in Living-off-the-Land attacks. [LOLBAS - Rundll32.exe](https://lolbas-project.github.io/lolbas/Binaries/Rundll32/)

LOLBin WMIC

This query detects the use of WMIC. Wmic.exe – A built-in Windows tool for scripting and remote system management, which adversaries exploit to run commands, load executables via alternate data streams, execute remote or XSL-formatted payloads, and move files stealthily. [LOLBAS - Wmic.exe](https://lolbas-project.github.io/lolbas/Binaries/Wmic/)

Malicious Chrome Extension FreeVPN-One Detection

This Logic detects the presence of the malicious Chrome extension FreeVPN[.]One by identifying its unique extension ID across installed browsers. The logic further correlates this presence with network communications initiated by the extension to suspicious or untrusted domains. By combining extension enumeration with traffic analysis, the detection ensures high fidelity with minimal false positives. This layered approach strengthens visibility into malicious browser add-ons masquerading as VPN tools. Reference: [GitHub Aamir-Muhammad/CrowdStrike-Queries](https://github.com/Aamir-Muhammad/CrowdStrike-Queries/blob/main/Hunting-Queries/Malicious-Chrome-Extension-FreeVPN.One-Detection.md)

MFA Failures

Displays the count of MFA authentication failures caused by service errors or user not being enrolled. A sudden spike in these errors may indicate a service incident requiring immediate investigation and response.

MFA Status Monitoring

Displays Multi-Factor Authentication (MFA) status events over time. Monitor for unexpected spikes in denials, errors, or timeouts that may indicate security threats, system issues, or user experience problems requiring investigation.

MongoDB Processes on Windows & Linux Hosts (CVE-2025-14847)

This query identifies Windows and Linux Hosts running MongoDB processes.

New API Keys within the Falcon Platform

This query provides a list of newly created API Keys, including relevant details such as Client Name and Client ID.

New installed Sensors

This query loads host inventory data from aid_master_main.csv, enriches it with details from aid_master_details.csv, and outputs a cleaned, formatted table of host information.

Notepad++ supply chain attack

This query detects a state-sponsored supply chain attack where the legitimate Notepad++ updater (gup.exe) is hijacked to download the Chrysalis backdoor. It identifies the attack by spotting unauthorized network connections from the updater, malicious DLL side-loading (e.g., BluetoothService.exe loading log.dll), and data exfiltration commands involving curl and temp.sh. https://notepad-plus-plus.org/news/hijacked-incident-info-update/ https://notepad-plus-plus.org/news/clarification-security-incident/ https://securelist.com/notepad-supply-chain-attack/118708/ https://notepad-plus-plus.org/assets/data/IoCFromFormerHostingProvider.txt https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/

OS Platform ratio

This query aggregates SensorHeartbeat events by operating system platform to show the relative distribution of endpoints per OS. It is well suited for visualization as a pie chart, providing a quick overview of platform coverage and identifying imbalances or unexpected OS presence in the environment.

Packages in Container Images - Match Lookup File

Parses packages from ImageVulnerabilityEvents and cross-references it with a lookup file to identify matching entries. A lookup file with a list of packages needs to be uploaded first. Example: |PackageName|Version| |---|---| |Package|1.0.0|

Packages in Container Images - Match Parameter

Searches packages using the provided parameter and returns the corresponding image repository.

Phishing - List of links opened from Outlook

Powershell Command Length Anomaly Detection

This query establishes a 7-day baseline of average PowerShell command lengths for each host. It then compares this baseline to the average command length of the last 24 hours. The query identifies hosts with a significant percentage increase in command length, which can be an indicator for obfuscation, fileless execution, or other malicious activities associated with "Living off the Land" techniques. ## Why Powershell is a Target for Attackers Powershell is an integral part of modern Windows systems and offers powerful automation capabilities through its .NET integration. These features also make it attractive to attackers: - **Pre-installed:** Available on every Windows system (no additional code needed). - **Powerful Access:** Direct access to Windows APIs and network resources. - **In-Memory Execution:** Capable of running code directly from memory (fileless execution). - **Often Under-Monitored:** Frequently lacks sufficient monitoring or restrictions. Attackers use **"Living off the Land"** tactics to leverage PowerShell for stealthy attacks without deploying additional tools. ## Why Command Length Deviations Indicate Threats Attackers often employ methods that result in unusually long command lines. Monitoring deviations from normal command length is a valuable approach for detecting suspicious activity. Unusually long commands can indicate: * **Obfuscation:** * **Encoding:** Using Base64 (`-EncodedCommand`), hexadecimal, or ASCII to hide commands. * **Escape Characters:** Using backticks (`) to impair readability. * **Embedding Payloads:** Inserting entire scripts or binary payloads directly into the command line. * **Fileless Execution & LotL:** Complex one-liners are used to download and execute payloads from remote sources, leading to longer commands. * **Offensive Frameworks:** Tools like Empire, PowerSploit, or Cobalt Strike often generate long, obfuscated commands for their payloads. Unusually long commands are a strong indicator because they directly correlate with common attacker techniques for evasion and execution (e.g., [T1027.010 Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027/010/)). Legitimate administrative tasks rarely require the extreme lengths produced by these methods. | Technique | Impact on Length | Description | | :--- | :--- | :--- | | Base64 (`-EncodedCommand`)| Significant Increase | Hides script content; very common for payload delivery. | | String Concatenation | Moderate/Variable Increase | Used to break up keywords and evade simple string matching. | | Remote Download Cradles | Variable (Often Long) | Commands like `IEX (New-Object Net.WebClient).DownloadString(...)` can be long. | | Embedded Scripts/Payloads | Significant Increase | Entire scripts or binaries are passed in the command line, nearing max length. | ## The Power of Baselining: Establishing "Normal" This query is based on the core idea of baselining "normal" activity for PowerShell command lengths and then identifying significant deviations from that norm. ### Creating the Baseline The query analyzes historical PowerShell executions over a defined period (7 days) to calculate statistical measures (the average) for command lengths. This establishes the expected range. By comparing the last day's average length against this historical baseline, the query can flag anomalous increases. A **7-day baseline** is chosen to: - Capture weekly operational cycles (e.g., weekend maintenance scripts). - Balance stability and adaptability, smoothing out daily fluctuations while remaining responsive to real changes.

Powershell Downloads

This query detects powershell downloads using `Start-BitsTransfer`, `Invoke-WebRequest`, or `System.Net.WebClient`.

Rare Remote Ports in Network Connections

The query analyzes IPv4 network connection events, counts occurrences per remote port, calculates their percentage of total connections, and lists only ports representing less than 10% of the traffic. Reference: [GitHub CrowdStrike/logscale-community](https://github.com/CrowdStrike/logscale-community-content/blob/main/Queries-Only/Helpful-CQL-Queries/Bottom%2010%25%20of%20NetworkConnct%20Port%20Values.md)